Basic IT Security Terminology

In order to understand digital security, one must first understand the terminology.  This document is the first in a series created by the ISC Project to provide basic definitions of words and phrases commonly used in the digital security field to describe systems, events, software, and hardware.  This paper defines three commonly misused digital security terms:  vulnerability, threat, and risk. These terms are fundamental to building an understanding of digital security field.

A vulnerability is any flaw or weakness in a hardware device, software system, procedure, or process that can be exploited by viruses, malware, hackers, or other adversaries to compromise a system. These flaws may be present when a system is purchased, or they can be caused by a user’s failure to maintain the system correctly. Common vulnerabilities seen in computer systems include unpatched operating systems, unpatched application software, the use of default usernames and passwords, lack of a personal firewall,  unencrypted wireless access points, and outdated virus definitions. These examples represent just a few of the thousands of vulnerabilities that exist in today’s complex world of networks, mobile devices, and computers.

A threat is a potential danger associated with the exploitation of a vulnerability[1]. A good example is when a user does not update the Windows operating system when a security patch is available. The Windows system will work as normal, but there is now a potential danger, or threat, that a hacker can compromise the system.  This does not mean that an attack is imminent or planned, just that a hacker could compromise the system.  It is important to understand that a threat is just the potential for exploitation of the vulnerability.  A threat agent is the entity that takes advantage of the vulnerability. Potential threat agents include hackers, malware, viruses, employees, and software.

Risk is the likelihood that a threat agent will exploit a vulnerability, and the corresponding personal or business impact[2].  For example, if a user opens his or her email program and clicks every link in every email in the spam folder, the user has significantly increased the likelihood, or risk, that the machine will be infected with a computer virus or malware program.  However, if that same user has installed a virus program that has up-to-date virus definition, the risk of infection is significantly reduced (though not completely eliminated).  It is important to understand that risk can never be entirely eliminated; rather, it can be reduced to an acceptable level.

Risk analysis and risk management are processes fundamental to identifying and assessing risk so that mechanisms can be put in place to reduce business and personal risk to an acceptable level.  Risk management and risk analysis will be the subject of a forthcoming ISC Project white paper.

Remember: Risk is the likelihood that a threat agent will exploit a vulnerability.


[1] Harris, S. (2013). All in One CISSP Exam Guide Sixth Edition. New York: McGraw Hill pg.26

[2] Harris, S. (2013). All in One CISSP Exam Guide Sixth Edition. New York: McGraw Hill pg.26